package cn.tedu.eb_film.config;


import cn.tedu.eb_film.filter.JwtAuthorizationFilter;
import cn.tedu.eb_film.security.AuthenticationEntryPointImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;


/**
 * Security配置类
 *
 * @author ライナー・ロンテ
 * @since 2023/3/6 14:42
 */
@EnableWebSecurity
@Configuration
// 开始权限控制
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {
    @Autowired
    private AuthenticationEntryPointImpl authenticationEntryPoint;
    @Autowired
    private JwtAuthorizationFilter jwtAuthorizationFilter;

    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();
    }
    //SecurityFilterChain，该链位于默认链之前，并允许未经身份验证的用户访问公共 API。
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        /*添加白名单*/
        String[] urls = {
                "/doc.html",
                "/**/*.css",
                "/**/*.js",
                "/swagger-resources/**",
                "/v3/api-docs/**",
                "/**"
        };
        //自定义 JWT（JSON Web Token）身份验证过滤器添加到 FilterChainProxy 中的默认过滤器链中，并在 UsernamePasswordAuthenticationFilter 之前应用（执行）该过滤器。
        http.addFilterBefore(jwtAuthorizationFilter, UsernamePasswordAuthenticationFilter.class);
        //参数 SessionCreationPolicy.STATELESS表示我们要使用无状态的会话机制来管理和验证用户身份
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        //处理未通过认证时导致的拒接访问
        http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);

        //关闭csrf防火墙 禁用防止伪造的跨域攻击
        http.csrf().disable();
        //基于请求的访问控制
        http.authorizeRequests()
//                .antMatchers("/toLogin").anonymous()
                .antMatchers(urls).permitAll()
                .antMatchers("/#/login").anonymous()
                .anyRequest().authenticated();

        http.formLogin();

//      http.formLogin().loginPage("/login.html").loginProcessingUrl("/login");


//        http.logout().logoutSuccessUrl("/toLogin");
        //允许复杂请求的跨域访问
        http.cors();

        return http.build();

    }

}
